Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/11/2024, 05:02
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10v2004-20241007-en
General
-
Target
RFQ.exe
-
Size
1.4MB
-
MD5
a88b0ddc1c80b37e8af7ca017929bf88
-
SHA1
601ae4b9be7c6619680d6ac19e4dae3acb572464
-
SHA256
9b6c97ad4d3d563b1bf7330e0aef16649514a1e0ac422bf99368bbb5a0069c4c
-
SHA512
a776e6d0db9c16ed2b2ce90ed06f3cdc4101e05399503c201a8c409a3d4b8b846d7a6dce5ca634199946962a6655788b7d6bed44509e76bd69a7590c3dbbe927
-
SSDEEP
24576:ozsSzxWeyf1eLZajkRqxnTf/7UeCL4EryZNK0P+:ozsUW5fJkUnTfDUe04Ee7bW
Malware Config
Extracted
remcos
RemoteHost
154.216.16.54:6092
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-YJ70D0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
true
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2836 powershell.exe 2792 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation RFQ.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" RFQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" RFQ.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4552 set thread context of 3260 4552 RFQ.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4552 wrote to memory of 2792 4552 RFQ.exe 91 PID 4552 wrote to memory of 2792 4552 RFQ.exe 91 PID 4552 wrote to memory of 2792 4552 RFQ.exe 91 PID 4552 wrote to memory of 3260 4552 RFQ.exe 93 PID 4552 wrote to memory of 3260 4552 RFQ.exe 93 PID 4552 wrote to memory of 3260 4552 RFQ.exe 93 PID 4552 wrote to memory of 3260 4552 RFQ.exe 93 PID 4552 wrote to memory of 3260 4552 RFQ.exe 93 PID 4552 wrote to memory of 3260 4552 RFQ.exe 93 PID 4552 wrote to memory of 3260 4552 RFQ.exe 93 PID 4552 wrote to memory of 3260 4552 RFQ.exe 93 PID 4552 wrote to memory of 3260 4552 RFQ.exe 93 PID 4552 wrote to memory of 3260 4552 RFQ.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3260 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵PID:2392
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"4⤵
- Command and Scripting Interpreter: PowerShell
PID:2836
-
-
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵PID:1336
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"5⤵PID:4176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.06⤵PID:2560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff874cb46f8,0x7ff874cb4708,0x7ff874cb47187⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:27⤵PID:1240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:37⤵PID:3168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:87⤵PID:1736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:17⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:17⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:17⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:87⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:87⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:17⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:17⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:17⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:17⤵PID:1260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:17⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16354983097090720322,7933176051568327720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:17⤵PID:2164
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.06⤵PID:2312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff874cb46f8,0x7ff874cb4708,0x7ff874cb47187⤵PID:4020
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3692
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a88b0ddc1c80b37e8af7ca017929bf88
SHA1601ae4b9be7c6619680d6ac19e4dae3acb572464
SHA2569b6c97ad4d3d563b1bf7330e0aef16649514a1e0ac422bf99368bbb5a0069c4c
SHA512a776e6d0db9c16ed2b2ce90ed06f3cdc4101e05399503c201a8c409a3d4b8b846d7a6dce5ca634199946962a6655788b7d6bed44509e76bd69a7590c3dbbe927
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\069a0a44-e968-48fc-b2c4-9efa498e9d82.tmp
Filesize6KB
MD54fa0dd8d1b40f2b5ea84613d6bc38fb2
SHA14b1553fa9dc36e2eff0560f3a6af53229f2f08db
SHA256c28233a429cce74fdefe84ccc97cce1dc5d9e6a229368b46c24bb3a106286a62
SHA5121f66e5d8f43a6c8add58e82b59cda3e92576771de414b0b8ab86b6c14a470175c89ffeeca236585edef1a67a39bed0d7625cb349063d04a6401b076c958d1222
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD53fcca9583d0a7b669420ee8403f53fd4
SHA176dc1b7715009d60b654b0b1617b16adcaf8d6e1
SHA256d6af800b9e4183789b133d33b63012983e138c99cac8c3ce0756a4fda3b758aa
SHA51201442ed83a5f1d8de355f9ad81472f52cceff1f896e8738947d3b69720c7e0080b4a5174e2900f73c47502a5d5b1aef01710ce7c2e56dc3600907a1861b3de1d
-
Filesize
5KB
MD5bb729543896a9baa802d475dbc222fc6
SHA15a12071f99fb1b316506070eea1d09e706a5e706
SHA2569449346373d237e8bf43d387d4b59eebf50e43836d2e8e36a9f8136b30e68f93
SHA51273a699765a7d4b2cd4e9f714cda65f60047601ddf795c256d0f820f02dc068e7ce4a814fa38f17011b8e33169fbcedd46be679d0958260bcc8b312f6fc52f672
-
Filesize
371B
MD512abe0fc977bf3d684fec03d32979250
SHA1503bef881f53844465a1a30e86ebdae502a75d61
SHA2568ebeac513b89558ee97e731eb5d9ff9618daa631ff530ed2e7f4e4c6fd269df5
SHA512e87c44453eb4b70fedc7c5c145d6552869cb663c9d3678d3a3290a74e7ceb2d36d1585ed074b7e83e1535a04e2600cccd9436e48d986aad59e98a69260dd009e
-
Filesize
371B
MD506b1a3024a773d46aa7e0c6df1f43f7f
SHA127a3b12925bef401e31dcee7a2c07df6ea68d533
SHA256475dd9744772d08b00fac0893987f70738d7d91191f64bad9d4a49428f180bd2
SHA5123f4ce9e2e6f179037628f52debb5a2fe2865263091fee2692d7e1f72233b91550d0c1b59f2ed7817b50bdb6e1990fccc2d6d197556d674e504fa162bf0bd3f13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\baee100f-9b70-47fc-9c8c-083951c85ae9.tmp
Filesize6KB
MD52c2771b99aeefe62117b3efb26cfad65
SHA14a87a3be497e9b6f01b20eb3badf67ca38180c00
SHA256d9a9a712dfc6b547470dbc6cdb59c9702c92549ada36ec2e709430784c2543a8
SHA5128b9df80b7f8ee630e11e953545ed5c504fa91d270c3857425949caaaa4a52a0197d82490d081d752abc51c47086d500765fdd441157124db7f7d89216e32d107
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD52367893b4d51115b10f4705c9df471b1
SHA18889a09ce8313d07ce56da909fc74b4d1d276bd7
SHA2564aff2f53fa479ef7365adfc7894cd1594dd9075dfda6ebecd39dbfc24df9facc
SHA5121a33a6633ab28259b2a8df452c1c013bbeddff504a649510b96584e9cc496fd6b9beafb02520021165a4a1d9bda037767074615c71a474d1fde0d147379c154a
-
Filesize
18KB
MD55865211c965f6d1285ae508e63ace2eb
SHA189cbaba8447d8ff1d29bac037af5f72d5cf6c96b
SHA256552b4a9eda89ed5409df4be58e4f557c1affc421fca438c69064388aec841b51
SHA5125058e7cc891b0749989575a7dc442abe574d746d8e0ce2272ad71e27279a54ef2b97fd6a4a1f9f99486d66f9bc9ba1d0fcdc20edf86a4f9a4eb5503739c6dc83
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82